safeguards-plugin icon indicating copy to clipboard operation
safeguards-plugin copied to clipboard

Published 20 hours ago verified publisher icon serverless

Bucket "ServerlessDeploymentBucket" doesn't have a BucketPolicy forbidding unsecure HTTP access but it does.

Open KerberosMorphy opened this issue 3 years ago • 1 comments

Hi, this is related to an issue I open on serverless/serverless/issues/8076.

It's seem that safeguards doesn't accept the Framework policy generate for the deployment bucker event if it did forbid unsecure HTTP access.

Warned - Bucket "ServerlessDeploymentBucket" doesn't have a BucketPolicy forbidding unsecure HTTP access.

Framework creates such policy, but internally resource is referenced via:

{
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":s3:::",
                      {
                        "Ref": "ServerlessDeploymentBucket"
                      },
                      "/*"
                    ]
                  ]
                }

While plugin strictly expects:

{
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "ServerlessDeploymentBucket"
                      },
                      "/*"
                    ]
                  ]
                }

And due to that, doesn't recognize policy and raise a warning.

Let me know if you need more information.

KerberosMorphy avatar Aug 28 '20 15:08 KerberosMorphy

@KerberosMorphy thanks for reporting. It's definitely the bug that's worth fixing. We welcome the PR that addresses that

medikoo avatar Aug 31 '20 08:08 medikoo